b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                 The Modernized e-File Release 6.2 Included\n                   Enhancements, but Improvements Are\n                Needed for Tracking Performance Issues and\n                           Security Weaknesses\n\n\n\n                                       September 8, 2011\n\n                              Reference Number: 2011-20-088\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | TIGTACommunications@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                   HIGHLIGHTS\n\n\nTHE MODERNIZED E-FILE RELEASE 6.2                     not established for using the matrices.\nINCLUDED ENHANCEMENTS, BUT                            Therefore, TIGTA was unable to validate\nIMPROVEMENTS ARE NEEDED FOR                           whether issues during the 2010 Filing Season\nTRACKING PERFORMANCE ISSUES                           were resolved. Additionally, seven of\n                                                      24 General Support System security\nAND SECURITY WEAKNESSES\n                                                      weaknesses affecting the MeF System were\n                                                      unresolved and not being tracked. Further,\nHighlights                                            although issues were identified, they were not\n                                                      tracked as required by the MeF Risk\n                                                      Management Plan.\nFinal Report issued on September 8,\n2011                                                  WHAT TIGTA RECOMMENDED\n                                                      TIGTA recommended that the Chief Technology\nHighlights of Reference Number: 2011-20-088\n                                                      Officer ensure: 1) all identified performance\nto the Internal Revenue Service Chief\n                                                      issues are effectively mapped through to their\nTechnology Officer.\n                                                      resolution for all future filing seasons;\nIMPACT ON TAXPAYERS                                   2) guidance is established for consistent use of\n                                                      the internal matrix to accurately depict the status\nThe Modernized e-File (MeF) Project goal is to        of performance enhancements and solutions;\nreplace the Internal Revenue Service\xe2\x80\x99s (IRS)          3) all confirmed MeF security weaknesses not\ncurrent tax return filing technology with a           immediately mitigated are included in the Plan of\nmodernized, Internet-based electronic filing          Action and Milestones to ensure adequate\nplatform. The IRS\xe2\x80\x99s processes for enhancing           documentation, reporting, and resolution\nthe MeF System can be improved to better              tracking; and 4) all issues and risks are included\nvalidate correction of prior release performance      in the Item Tracking Reporting and Control\nand stability issues. This will allow more            System or that procedures outside the scope of\nindividual taxpayers to take advantage of the         the MeF Risk Management Plan are properly\nbenefits of electronic filing.                        documented and approved.\nWHY TIGTA DID THE AUDIT                               The IRS agreed with three of TIGTA\xe2\x80\x99s\n                                                      recommendations and stated corrective actions\nThis review is part of our Fiscal Year 2011\n                                                      have been taken or started. However, the IRS\nAnnual Audit Plan and addresses the major\n                                                      disagreed with TIGTA\xe2\x80\x99s recommendation that all\nmanagement challenge of Modernization of the\n                                                      confirmed MeF security weaknesses were not\nIRS. The overall objective of this review was to\n                                                      immediately mitigated and included in the Plan\ndetermine whether the IRS properly identified\n                                                      of Action and Milestones. The IRS stated it has\nand corrected MeF performance and stability\n                                                      currently accounted for all security controls\nproblems identified during the 2010 Filing\n                                                      confirmed as not in place within the Plan of\nSeason.\n                                                      Action and Milestones by confirming these\nWHAT TIGTA FOUND                                      through a Security Assessment and\n                                                      Authorization currently in progress. However,\nThe MeF Project Office followed Change                TIGTA maintains that the Plan of Action and\nManagement processes, included key                    Milestones should be continuously monitored\nperformance enhancements in Release 6.2, and          and updated as weaknesses are identified or\neffectively accomplished testing prior to             changes occur and milestones are achieved.\nimplementation. However, improvements are             This will ensure the accuracy of the information\nneeded for tracking performance issues and            that is reported quarterly to the Department of\nsecurity weaknesses. Specifically, internal           the Treasury.\nmatrices captured performance enhancements;\nhowever, documentation did not support that\nenhancements were tracked to recommended\nsolutions, and internal controls or guidance were\n\x0c                                                 DEPARTMENT OF THE TREASURY\n                                                      WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                September 8, 2011\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n FROM:                           Michael R. Phillips\n                                 Deputy Inspector General for Audit\n\n SUBJECT:                        Final Audit Report \xe2\x80\x93 The Modernized e-File Release 6.2 Included\n                                 Enhancements, but Improvements Are Needed for Tracking\n                                 Performance Issues and Security Weaknesses (Audit # 201020028)\n\n This report presents the results of our review of the Modernized e-File Release 6.2. The overall\n objective of this review was to determine whether the Internal Revenue Service (IRS) properly\n identified and corrected Modernized e-File performance and stability problems identified during\n the 2010 Filing Season.1 This audit is included in the Treasury Inspector General for Tax\n Administration Fiscal Year 2011 Annual Audit Plan and addresses the major management\n challenge of Modernization.\n Management\xe2\x80\x99s complete response to the draft report is included in Appendix VII.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. Please contact me at (202) 622-6510 if you have questions or\n Alan R. Duncan, Assistant Inspector General for Audit, Security and Information Technology\n Services, at (202) 622-5894.\n\n\n\n\n 1\n     See Appendix VI for a glossary of terms.\n\x0c                      The Modernized e-File Release 6.2 Included Enhancements, but\n                                Improvements Are Needed for Tracking\n                             Performance Issues and Security Weaknesses\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 3\n          Modernized e-File Planning Included Key Performance Enhancements\n          and Followed Prescribed Change Management Processes ........................... Page 3\n          Improvements Are Needed to Ensure Performance\n          Enhancements Resolve Filing Season Problems .......................................... Page 5\n                    Recommendation 1:........................................................ Page 6\n\n                    Recommendation 2:........................................................ Page 7\n\n          Modernized e-File Security Weaknesses Are Still Not\n          Adequately Controlled .................................................................................. Page 7\n                    Recommendation 3:........................................................ Page 9\n\n          Issue Management Processes Need Improvement ........................................ Page 10\n                    Recommendation 4:........................................................ Page 11\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 12\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 15\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 16\n          Appendix IV \xe2\x80\x93 Enterprise Life Cycle Overview .......................................... Page 17\n          Appendix V \xe2\x80\x93 Modernized e-File System Unresolved Security\n          Weaknesses Not Being Tracked in the Plan of Action and Milestones ........ Page 19\n          Appendix VI \xe2\x80\x93 Glossary of Terms ................................................................ Page 21\n          Appendix VII \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ..................... Page 24\n\x0c         The Modernized e-File Release 6.2 Included Enhancements, but\n                   Improvements Are Needed for Tracking\n                Performance Issues and Security Weaknesses\n\n\n\n\n                         Abbreviations\n\ne-file            Electronic Filing\nIRS               Internal Revenue Service\nITRAC             Item Tracking Reporting and Control\nMeF               Modernized e-File\nMITS              Modernization and Information Technology Services\nPET               Performance Enhancement Team\nPOA&M             Plan of Action and Milestones\nTIGTA             Treasury Inspector General for Tax Administration\n\x0c                     The Modernized e-File Release 6.2 Included Enhancements, but\n                               Improvements Are Needed for Tracking\n                            Performance Issues and Security Weaknesses\n\n\n\n\n                                               Background\n\nIn December 1998, the Internal Revenue Service (IRS)\nannounced its mission to revolutionize the way                The MeF Release 6.2 will provide\n                                                              code optimization to support the\ntaxpayers transact and communicate with the IRS. In         anticipated volume of returns in the\norder to achieve this goal, the plan was to replace the      2010 through 2012 Filing Seasons.\ncurrent outdated technology with a modernized,               The MeF System must be capable\nInternet-based electronic filing (e-file) platform. The     of processing more than 100 million\nsystem\xe2\x80\x99s purpose was to streamline the tax return              electronically filed tax returns.\nfiling process and reduce costs associated with paper\ntax returns. In February 2004, the IRS deployed the\ninitial release of the Modernized e-File (MeF) System, which provided electronic filing of the\nU.S. Corporation Income Tax Return (Form 1120) and other associated corporate forms. The\noverall scope of the MeF System includes filing of electronic tax returns for corporations,\npartnerships, nonprofit/tax exempt businesses, and individuals. According to the MeF\nInformation Technology Dashboard, dated March 31, 2011, the MeF Program\xe2\x80\x99s overall budgeted\namount until Fiscal Year 2020 is $575.8 million.\nThe IRS deployed MeF Release1 6.1 on February 17, 2010, to begin electronically processing the\nU.S. Individual Income Tax Return (Form 1040), along with 22 other forms and schedules.\nSubsequently, MeF Release 6.2 went live on January 8, 2011, and focused on performance and\nensuring all capabilities within the MeF System could process the anticipated volume of tax\nreturns during the upcoming 2010 through 2012 Filing Seasons. MeF Release 6.2 enhancements\nwere developed to allow an increase in the number of users needing system access, enlarge the\nvolume and types of forms being processed, continue operation and maintenance, and launch\nlogical design activities for the disaster recovery solution.\nThe MeF System is expected to replace the IRS\xe2\x80\x99s current tax return filing technology by the\n2013 Filing Season. To reach this goal, the MeF System must be capable of processing more\nthan 100 million electronically filed individual income tax returns, allowing more individual\ntaxpayers to use electronic filing. Performance and stability will be paramount to successful\nimplementation as the IRS moves forward. Specific challenges faced by the MeF System\ninclude:\n      \xe2\x80\xa2    Improving service to taxpayers and practitioners.\n      \xe2\x80\xa2    Reducing processing congestion and errors.\n\n\n\n1\n    See Appendix VI for a glossary of terms.\n                                                                                          Page 1\n\x0c               The Modernized e-File Release 6.2 Included Enhancements, but\n                         Improvements Are Needed for Tracking\n                      Performance Issues and Security Weaknesses\n\n\n\n   \xe2\x80\xa2   Managing and processing a high volume of returns.\n   \xe2\x80\xa2   Improving processing-related issue management.\nIn February 2010, the MeF Project Office began work to address performance and stability\nrequirements for Release 6.2. As a result, the MeF Project Office established a\nMeF Performance Enhancement Team (PET) and held a kickoff meeting for the team on\nApril 20, 2010.\nThis review was performed at the Modernization and Information Technology Services (MITS)\norganization facilities in New Carrollton, Maryland, during the period August 2010 through\nMarch 2011. We conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objective. We believe the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objective. Detailed\ninformation on our audit objective, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n\n                                                                                       Page 2\n\x0c                  The Modernized e-File Release 6.2 Included Enhancements, but\n                            Improvements Are Needed for Tracking\n                         Performance Issues and Security Weaknesses\n\n\n\n\n                                     Results of Review\n\nThe MeF Project Office used Change Management processes and ensured key performance\nenhancements were included in MeF Release 6.2, thus meeting its established performance\ngoals. However, improvements are needed to strengthen management controls over resolving\nprior 2010 Filing Season performance issues. Additionally, controls over the MITS organization\nGeneral Support System\xe2\x80\x99s2 security weaknesses and issue management tracking need\nimprovement.\n\nModernized e-File Planning Included Key Performance Enhancements\nand Followed Prescribed Change Management Processes\nThe MeF Project Office successfully projected and planned for system performance\nenhancements and Change Management processes.\n\nMEF System performance enhancements included key activities\nThe MeF Project Office established a MeF PET that consisted of three independent subteams\xe2\x80\x94\nPortals, Frontend, and Backend\xe2\x80\x94to ensure the MeF System adequately processed and managed\nthe high volume of tax returns for the 2010 through 2012 Filing Seasons. The main objectives\nwere to reduce return processing congestion and errors, manage a high volume of returns, and\nidentify cost-efficient changes for service delivery. Overall, the MeF PET incorporated key\nplanning activities; for example, according to the Project Management Plan, the PET identified\nEnterprise Key Performance Indicators, established baselines and targets, and planned for\nresources, roles, and responsibilities. The three independent subteams established a repository as\na tool for managing and sharing information and developed a matrix used for guiding\nperformance changes.\nThe IRS Quick Alerts online service provides tax professionals with up-to-date tax information.\nIt was enhanced to quickly disseminate real-time tax information during and after the filing\nseason by sending e-file messages to its subscribers (e-file Transmitters, Authorized Providers,\nand Software Developers). Our review of IRS Quick Alerts sent to e-file Providers during the\ntime period May through July 2010 disclosed that the Alerts system worked as intended.\nSpecifically, during this time period, there were four Alerts citing portal login and\n\n\n\n2\n  OMB Circular A-130 defines general support systems as an \xe2\x80\x9cinterconnected set of information resources under the\nsame direct management control that shares common functionality. It normally includes hardware, software,\ninformation, data, applications, communications, and people.\xe2\x80\x9d\n                                                                                                         Page 3\n\x0c                The Modernized e-File Release 6.2 Included Enhancements, but\n                          Improvements Are Needed for Tracking\n                       Performance Issues and Security Weaknesses\n\n\n\nacknowledgement issues, along with documented scheduled downtime for MeF System\nmaintenance.\n\nChange Management processes were adequate\nChange Management processes used by MeF Project Office management to document and\nrelease updates to production were adequate and process improvement activities are ongoing.\nEnterprise-wide Change Management processes are being designed for consistent use\nMITS-wide.\nEffective Change Management is the transition of a changed or new product from development\ninto production, with minimum disruption to users. It is initiated when a change to the current\nproduction environment is approved. A Change Management Board (for the MeF Program, this\nis the Submission Processing Executive Steering Committee) should authorize the installation of\nnew or modified products into the current production environment. For each proposed change,\nthe chairpersons of the Change Management Board formally assign a disposition (i.e., approve or\ndefer), and the impacted business owners formally respond.\nOur review of MeF Release 6.2 Change Management activities and processes supported that the\nMITS organization was proactive in improving or institutionalizing its processes. For instance,\nthe MeF Configuration Management Plan was timely and adequately updated by MITS\nConfiguration Management. Additionally, project documents revealed MeF Release 6.2 was\nproperly authorized to update and change the MeF System production environment. The\nMeF Release 6.2 exit from development, with transition to the production environment, was\nproperly approved by the Chairperson, Submission Processing Executive Steering Committee,\nwith concurrence by impacted business units and stakeholders.\nIndustry best practices (such as the Capability Maturity Model Integration\xc2\xae) describe an\nevolutionary process improvement path leading from ad hoc or immature to more disciplined or\nmature processes with improved quality and effectiveness. For any given process area, such as\nChange Management, a critical distinction between attaining capability level 2 and a more\nmature capability level 3 is found in process descriptions, procedures, and scope of standards.\nSpecifically, at capability level 2, these areas can be diverse for each particular project; however,\nat a more mature level 3, the areas are tailored from the organization\xe2\x80\x99s own set of standard\nprocesses and become more institutionalized. Therefore, it is commendable that the\nMITS organization, currently with Change Management processes for each domain (or set of\nprojects), is designing enterprise-wide Change Management processes to improve consistency\nand to further institutionalize guidance for use MITS-wide. As such, the effort can lead to a\nmore disciplined organization with improved quality and effectiveness.\n\nTesting was effectively accomplished prior to implementation\nIn our prior Treasury Inspector General for Tax Administration (TIGTA) audit report,\nModernized e-File Will Enhance Processing of Electronically Filed Individual Tax Returns, but\n                                                                                              Page 4\n\x0c                    The Modernized e-File Release 6.2 Included Enhancements, but\n                              Improvements Are Needed for Tracking\n                           Performance Issues and Security Weaknesses\n\n\n\nSystem Development and Security Need Improvement,3 we reported that test results were not\nalways being traced to requirements and not all unexpected results were thoroughly resolved.\nHowever, the current audit disclosed that all system requirements were tested or conditional\napproval was granted. Also, as required by the Enterprise Life Cycle, our review of test plans,\nexecution schedules, and report and defect logs determined that they were adequately supported\nand maintained. Additionally, the MeF Project Office appropriately documented and presented\ntest results to the Submission Processing Executive Steering Committee, and meeting minutes\nprovided evidence that testing reports were appropriately discussed prior to deployment.\n\nImprovements Are Needed to Ensure Performance Enhancements\nResolve Filing Season Problems\nAccording to the Capability Maturity Model Integration, there are five common features that\nindicate whether the implementation and institutionalization of a key process area is effective,\nrepeatable, and lasting. One of those features states that activities should typically involve\nestablishing plans and procedures, performing and tracking work, and taking necessary\ncorrective actions. The MeF Project Office developed PET Matrices to capture performance\nenhancements for MeF Release 6.2; however, there was either inadequate or no support\ndocumentation for performing and tracking work or for showing that necessary corrective action\nwas taken. As a result, the TIGTA was unable to validate whether captured performance\nelements identified during the 2010 Filing Season were ever resolved. Specifically:\n      \xe2\x80\xa2   During the 2010 Filing Season, MeF Project Office personnel did not initially map\n          potential performance enhancements to performance and stability issues encountered by\n          tax practitioners. The PET indicated that performance issues were identified by\n          reviewing resolved/closed Information Technology Asset Management System tickets\n          and by polling customers during the filing season, and that performance enhancements\n          were developed based on these issues. However, MeF Project Office personnel were\n          unable to provide any documentation to support that potential performance enhancements\n          were implemented based on issues developed from the review of resolved tickets;\n          therefore, the TIGTA was unable to validate that this had occurred.\n      \xe2\x80\xa2   During the 2010 Filing Season, the PET identified 47 potential performance\n          enhancements. Although they subsequently developed 56 recommended solutions for the\n          performance enhancements, the PET Matrix Summary disclosed that the majority were\n          not appropriately achieved. Specifically, of the 56 recommended solutions, only\n          15 (27 percent) indicated they were being actively worked (approved, implemented, or in\n          progress); 32 (57 percent) were still listed as being under evaluation; and 9 (16 percent)\n          did not stipulate a status at all (see Figure 1). Further, of the 47 identified potential\n\n\n3\n    Reference Number 2010-20-041, dated May 26, 2010.\n                                                                                             Page 5\n\x0c                The Modernized e-File Release 6.2 Included Enhancements, but\n                          Improvements Are Needed for Tracking\n                       Performance Issues and Security Weaknesses\n\n\n\n       performance elements, there were 11 (23 percent) for which recommended solutions were\n       never developed.\n                 Figure 1: Performance Enhancement Team Matrix Summary\n\n                                       Number of\n                                     Recommended\n                                     Solutions With          Number of               Number of\n                                       a Status of          Recommended            Recommended\n                Number of              Approved,              Solutions               Solutions\n               Recommended           Implemented,            Still Under               With No\n    Teams        Solutions           or in Progress          Evaluation            Status Provided\n   Frontend           14                     0                      14                      0\n   Portal              9                     1                       0                      8\n   Backend            33                    14                      18                      1\n   Totals             56                    15                      32                      9\n  Source: Frontend/Portal Matrix dated January 11, 2011, and Backend Matrix dated November 29, 2010.\n\n   \xe2\x80\xa2   Internal controls or guidance were not established for using the matrices. For example,\n       MeF Project Office personnel stated that due to the Oracle 11g upgrade, many of the\n       47 performance enhancements were no longer necessary; however, the matrices were\n       never updated to reflect that current information. Also, personnel did not always use the\n       matrices consistently. Specifically, of the Number of Recommended Solutions for the\n       Portal, 8 (89 percent) of 9 did not have status provided, and none of them provided a\n       target release date (not shown in Figure 1). Furthermore, the PET Matrices included a\n       column titled \xe2\x80\x9cStatus\xe2\x80\x9d for recording details/status on recommended solutions; however,\n       the answers lacked consistent terminology. For example, rows within this column used\n       terms, such as Under Evaluation, Under Analysis, Needs Evaluation, and Evaluating,\n       which were sometimes used interchangeably.\nMapping performance enhancements to performance and stability issues identified in the\n2010 Filing Season will help ensure performance issues are actively resolved for future filing\nseasons, duplication of effort is not occurring, and the entire resolution process is being\naccomplished. Further, guidance is necessary for establishing internal controls to ensure the PET\nMatrices are complete, accurate, updated in a timely manner, and use consistent terminology.\n\nRecommendations\nRecommendation 1: The Chief Technology Officer should direct the PET to effectively map\nall identified performance issues through to their resolution for all future filing seasons.\n\n\n                                                                                                   Page 6\n\x0c                    The Modernized e-File Release 6.2 Included Enhancements, but\n                              Improvements Are Needed for Tracking\n                           Performance Issues and Security Weaknesses\n\n\n\n           Management\xe2\x80\x99s Response: The IRS agreed with the recommendation. The MeF\n           Project Office has developed a PET Matrix which documents all MeF\n           performance-related issues. The matrix will be used by the PET to identify possible\n           resolutions and to track the work associated with each of the resolutions.\n           Performance-related activities that were deferred from MeF Release 6.2 will be included\n           in this matrix. As part of the regularly scheduled PET status meetings, the matrix will be\n           updated and reviewed.\nRecommendation 2: The Chief Technology Officer should direct the PET to establish\nguidance requiring, at a minimum, timely updates and consistent terminology be used in the PET\nMatrices to accurately depict the status of performance enhancements and solutions.\n           Management\xe2\x80\x99s Response: The IRS agreed with the recommendation. The PET\n           Matrix will be put under tight configuration control. A single point of contact will be\n           identified to update the matrix. Status updates from the members of the PET will be\n           provided to the point of contact during the regularly scheduled PET meetings. Once the\n           updates are made by the point of contact, the matrix will be posted (in a read only mode)\n           for all PET members to access. Consistent terminology will be used to the extent\n           possible and where relevant.\n\nModernized e-File Security Weaknesses Are Still Not Adequately\nControlled\nIn our prior TIGTA audit report, we recommended that the IRS Cybersecurity organization\ncomplete process implementation to ensure that system owners comply with IRS policy to enter\nand track all system security weaknesses in IRS control systems. The MITS Cybersecurity\norganization responded it made continuous improvements to the Plan of Action and Milestones\n(POA&M) process in recent years, and it now considers the process complete and implemented\nas of March 25, 2010.\n\nThe MITS Cybersecurity organization is still not tracking all system security\nweaknesses\nThe MITS Cybersecurity organization reported 24 unresolved security weaknesses during\nMeF Releases 6.1 and 6.2 security assessments. We reviewed the Fiscal Year 2011 MeF System\nand some MITS General Support System POA&Ms4 to identify the tracking of these security\nweaknesses and to determine if the corrective action taken by the IRS to improve the POA&Ms\nwas adequately implemented.\nBased on our review of the 24 security weaknesses, we identified 7 MITS General Support\nSystem security weaknesses affecting the MeF Program that were unresolved and not being\n\n4\n    We reviewed the General Support System POA&Ms that included issues relating to the MeF System.\n                                                                                                     Page 7\n\x0c                    The Modernized e-File Release 6.2 Included Enhancements, but\n                              Improvements Are Needed for Tracking\n                           Performance Issues and Security Weaknesses\n\n\n\ntracked in the POA&M as required.5 Three of the seven security weaknesses have been reported\nmultiple times by the Cybersecurity organization and still have not been included in the\nPOA&M. The MeF Project Office staff stated they are not responsible for the General Support\nSystem security weaknesses, and if security weaknesses have not been validated by security\ntesting, they are not documented in the POA&M.\nHowever, the IRS MITS Plan of Action and Milestones (POA&Ms) Standard Operating\nProcedure specifies that the POA&M must be prepared for all system- and program-level\nsecurity weaknesses. The POA&M must include complete, comprehensive descriptions of the\nsecurity weaknesses and detailed explanations of the steps and dates when the mitigations or\nremedies will be applied. The IRS is required to report on a quarterly basis to the Department of\nthe Treasury the status of its POA&M items. The Department of the Treasury annually submits\na consolidated agency report to the Office of Management and Budget and Congress. The\nTrusted Agent Federal Information Security Management System is the application that the\nDepartment of the Treasury and the IRS use to track and monitor POA&M weaknesses. All\nPOA&M weaknesses must be entered into the Trusted Agent Federal Information Security\nManagement System to satisfy the reporting requirements.\nAdditionally, three of the seven security weaknesses identified in the security assessments\nincluded risk-based decisions for the MeF System to proceed without the required security\ncontrols in place. The Cybersecurity organization should have included these security\nweaknesses in the General Support System POA&M to document and track them to resolution so\nthe required security controls will eventually be in place for the MeF System.\nAccording to the IRS\xe2\x80\x99s Request for Risk Acceptance and Risk Based Decision (RBD) Standard\nOperating Procedure (SOP), security weaknesses can be discovered at any point in a system\xe2\x80\x99s\nlifecycle and by many different means. It is also possible that some security weaknesses will be\nuncovered during development activities. Additionally, the procedure states that regardless of\nthe source, when a security weakness is discovered, the first steps are to thoroughly analyze the\nweakness, determine a plan to remediate or mitigate the weakness, and lay out a workable\nschedule for implementation of the corrective activities. The procedure includes that for\nproduction systems, all of this is captured in a POA&M and entered into the Trusted Agent\nFederal Information Security Management System.\n\nInadequate reporting of National Institute of Standards and Technology\noutstanding security controls\nThe IRS should protect the MeF System by implementing appropriate security controls to ensure\nthe confidentiality, integrity, and availability of sensitive data, as recommended in the National\nInstitute of Standards and Technology Special Publication 800-53.6 These security controls\n\n5\n    See Appendix V for the seven unresolved security weaknesses not being tracked in the POA&M.\n6\n    Recommended Security Controls for Federal Information Systems, Revision 2, dated December 2007.\n                                                                                                      Page 8\n\x0c                  The Modernized e-File Release 6.2 Included Enhancements, but\n                            Improvements Are Needed for Tracking\n                         Performance Issues and Security Weaknesses\n\n\n\ninclude system access, audit logging, and contingency planning. In addition, the IRS is\nspecifically required by Federal law7 to keep taxpayer data confidential and prevent unauthorized\ndisclosure or browsing of taxpayer records. These requirements apply to all IRS computer\nsystems that maintain sensitive data.\nBecause all of the security weaknesses related to the MeF System are not being tracked in the\nPOA&M, it is difficult to determine which National Institute of Standards and Technology\nsecurity controls are missing. For example, the Submission Processing Executive Steering\nCommittee presentation from December 29, 2010, requesting MeF Release 6.2, Milestone 4b\nexit,8 showed that there were two remaining POA&M items relating to two security\ncontrols. However, based on our review of the Fiscal Year 2011 MeF System POA&M items,\nthere were actually three remaining POA&M items that addressed five security controls.\nAdditionally, based on our analysis of the ongoing General Support System security weaknesses\naffecting the MeF System, there were 12 additional security controls that were not in place.\nWithout properly reporting all MeF System ongoing security weaknesses in the POA&M, the\nIRS cannot ensure that the security weaknesses are being properly reported and tracked to\nresolution. If the security weaknesses are not resolved, the MeF System does not include all of\nthe National Institute of Standards and Technology required security controls and remains\nvulnerable. Additionally, the Office of Management and Budget uses the information in the\nPOA&M to assess the IRS\xe2\x80\x99s progress in alleviating system weaknesses, monitor the Federal\nGovernment\xe2\x80\x99s ability to implement the Federal Information Security Management Act of 2002,9\nand make budgetary decisions. Inaccurate or incomplete POA&M information affects the Office\nof Management and Budget\xe2\x80\x99s ability to obtain an accurate status of IRS security weakness\nremediation.\n\nRecommendation\nRecommendation 3: The Chief Technology Officer should ensure that all confirmed MeF\nsecurity weaknesses from all sources, that are not mitigated immediately, are included in the\nPOA&Ms to ensure adequate documentation, reporting, and tracking to resolution.\n        Management\xe2\x80\x99s Response: The IRS disagreed with the recommendation and stated\n        the Chief Technology Officer ensures all confirmed security weaknesses from all sources\n        that are not mitigated immediately are included in the POA&Ms to ensure adequate\n        documentation, reporting, and tracking to resolution. Further, the IRS stated that all\n        confirmed weaknesses for the MeF System have been reported in the system POA&Ms\n        or in the appropriate General Support System POA&M.\n\n7\n  Internal Revenue Code Section (\xc2\xa7) 6103 (26 U.S.C. \xc2\xa7 6103) and the Taxpayer Browsing Protection Act of 1997\n(26 U.S.C.A. \xc2\xa7\xc2\xa7 7213, 7213A, and 7431 (West 2006).\n8\n  See Appendix IV.\n9\n  44 U.S.C. \xc2\xa7\xc2\xa7 3541 \xe2\x80\x93 3549.\n                                                                                                       Page 9\n\x0c                The Modernized e-File Release 6.2 Included Enhancements, but\n                          Improvements Are Needed for Tracking\n                       Performance Issues and Security Weaknesses\n\n\n\n       Office of Audit Comment: In its management comments, the IRS noted disagreement\n       with the statement, \xe2\x80\x9cthere were 12 additional security controls that were not in place.\xe2\x80\x9d\n       Specifically, the IRS disagreed with our assessment that all confirmed security\n       weaknesses were not immediately mitigated and included in the POA&Ms and were not\n       adequately documented, reported, and tracked to resolution. The IRS stated it has\n       currently accounted for all security controls confirmed as not in place within the\n       POA&Ms by confirming these through a Security Assessment and Authorization\n       currently in progress. However, the TIGTA maintains that the POA&Ms should be\n       continuously monitored and updated as weaknesses are identified or changes occur and\n       milestones are achieved. This will ensure the accuracy of the information that is reported\n       quarterly to the Department of the Treasury.\n\nIssue Management Processes Need Improvement\nThe MeF Project Office did not follow the MeF Risk Management Plan, which requires all issues\nand candidate risks to be entered into the Item Tracking Reporting and Control (ITRAC) System\nto ensure monitoring and control by external stakeholders. During our review of the\nadministration and oversight of the MeF Program, we identified several issues and risks that the\nIRS did not properly track. Specifically:\n   \xe2\x80\xa2   Even though issues were identified in the Information Technology Project Control\n       Review, they were not tracked using the issue management tool.\n   \xe2\x80\xa2   Even though MeF Project Office personnel tracked candidate risks using an external\n       watch list, they did not enter those candidate risks into the ITRAC System as required by\n       the MeF Risk Management Plan.\nThe MeF Risk Management Plan requires that all information technology major and nonmajor\nprojects maintain risk, issue, and action item data in a central, common repository. Specifically,\npersonnel will periodically review, monitor, and update risks and issues in the ITRAC System.\nMeF Project Office management stated that it was not realistic to track all possible risks in the\nITRAC System. Therefore, they developed an external watch list used for evaluating candidate\nrisks and elevating them to active risks prior to entering them into the ITRAC System. However,\nMeF Project Office personnel did not develop guidelines or procedures for using the watch list,\nwhich was used to supplement the requirements outlined in the MeF Risk Management Plan.\nThe lack of adherence to guidance negatively affects the IRS\xe2\x80\x99s ability to efficiently monitor and\ntrack issues that are critical for external stakeholder awareness.\n\n\n\n\n                                                                                          Page 10\n\x0c               The Modernized e-File Release 6.2 Included Enhancements, but\n                         Improvements Are Needed for Tracking\n                      Performance Issues and Security Weaknesses\n\n\n\nRecommendation\nRecommendation 4: The Chief Technology Officer should ensure that all issues and\ncandidate risks are included in the ITRAC System or those procedures outside the scope of the\nMeF Risk Management Plan are properly documented and approved.\n       Management\xe2\x80\x99s Response: The IRS agreed with the recommendation. The MeF\n       Project Office will document candidate risks and issues in the ITRAC System. The\n       candidate risks and issues will be worked through the standard risk and issue process, and\n       the ITRAC System will be updated accordingly.\n\n\n\n\n                                                                                         Page 11\n\x0c                  The Modernized e-File Release 6.2 Included Enhancements, but\n                            Improvements Are Needed for Tracking\n                         Performance Issues and Security Weaknesses\n\n\n\n                                                                                               Appendix I\n\n         Detailed Objective, Scope, and Methodology\n\nOur overall objective was to determine whether the IRS properly identified and corrected\nMeF System performance and stability problems identified during the 2010 Filing Season.1 To\naccomplish this objective, we:\nI.      Determined whether the 2010 Filing Season MeF System performance and stability\n        problems have been identified, evaluated, and included as an action item for\n        improvement for the 2011 Filing Season.\n        A. Reviewed how MeF System performance and stability problems were identified,\n           tracked, and evaluated to determine whether a corrective action is necessary for the\n           upcoming 2011 Filing Season.\n        B. Reviewed the applicable problem reporting tracking documentation developed by the\n           MeF Program Office for performance and stability problems and determined whether\n           all 2010 Filing Season performance and stability problems identified were\n           documented to show how the item would be resolved for the upcoming 2011 Filing\n           Season.\n        C. Reviewed all identified 2010 Filing Season potential performance and stability\n           enhancements and determined if they were evaluated and included as a corrective\n           action for improvement for the upcoming 2011 Filing Season.\nII.     Determined whether the MeF Release 6.2 was adequately tested prior to implementation,\n        the test plan includes all aspects of the updated system, and all unexpected results are\n        thoroughly resolved. As determined in our prior MeF System audit,2 although the PET\n        traced requirements between the Business System Requirements Report Final and the\n        System Integration and Test Plan, the System Integration and End of Test Completion\n        Report showed the test results were not traced to the requirements and the application did\n        not execute all of the requirements as expected. Additionally, we determined if project\n        releases are deployed only after all system requirements were tested and met, and that test\n        results were verified to ensure their completeness and accuracy. If requirements were not\n        met, defect reports should be prepared to allow for appropriate resolution by retesting or\n        waiving the requirement prior to deployment.\n\n\n1\n See Appendix VI for a glossary of terms.\n2\n Modernized e-File Will Enhance Processing of Electronically Filed Individual Tax Returns, but System\nDevelopment and Security Need Improvement (Reference Number 2010-20-041, dated May 26, 2010).\n                                                                                                        Page 12\n\x0c               The Modernized e-File Release 6.2 Included Enhancements, but\n                         Improvements Are Needed for Tracking\n                      Performance Issues and Security Weaknesses\n\n\n\n       A. Determined if all aspects of the MeF System were tested, as outlined in the detailed\n          requirements (whether all requirements listed in the Requirements Traceability\n          Matrix and Business Systems Requirements Report are tested).\n       B. Determined if all performance and stability problems identified during the\n          2010 Filing Season were tested as outlined in the performance evaluation\n          documentation. According to the prior TIGTA audit report, the IRS cited its\n          milestone readiness review as a process for monitoring a project\xe2\x80\x99s progress toward\n          satisfying exit conditions and for making formal go/no-go recommendations to the\n          Executive Steering Committee. However, the TIGTA determined that with the\n          significant number of failed tests reported and the subsequent problems with rejected\n          individual income tax returns filed, the Executive Steering Committee did not have\n          sufficient and timely information to make an informed risk-based decision for\n          deploying MeF Release 6.1. Therefore, we specifically determined whether all\n          system requirements were tested and results were verified prior to deployment. We\n          reviewed Executive Steering Committee meeting minutes to determine if testing\n          reports were discussed prior to deployment.\n       C. Determined if all testing process documentation exists as required by the Enterprise\n          Life Cycle. We obtained and reviewed testing-related documentation (e.g., test plans,\n          test cases, test execution schedules, and end-of-test report and defects logs).\nIII.   Determined whether Change Management activities that will result in changes to the\n       production environment are effective. Activities include change initiation and approval,\n       modification, development, and testing and acceptance.\n       A. Determined if all changes to the MeF System are properly initiated and approved in\n          accordance with the Enterprise Life Cycle.\n       B. Verified code changes are modified/developed in an area separate from the\n          testing/quality assurance and production environments.\n       C. Verified code is tested in a segregated/controlled environment (testing/quality\n          assurance, which is separate from development and production).\n       D. Determined if all the test results are reviewed and approved by the end users. We\n          verified the method of user acceptance (e.g., verbal or written).\nIV.    Determined whether corrective actions were implemented or modified since the last audit\n       by discussing procedures with appropriate IRS personnel in the Cybersecurity\n       organization. Specifically, based on the due dates of the security material weakness\n       discovered in the prior audit report, the security vulnerabilities discovered were not\n       scheduled for completion until June 2010 and April 2011. Two security vulnerabilities\n       for audit trails were not adequately controlled to reach resolution as part of the\n       MeF Release 6.1 deployment.\n\n                                                                                            Page 13\n\x0c                The Modernized e-File Release 6.2 Included Enhancements, but\n                          Improvements Are Needed for Tracking\n                       Performance Issues and Security Weaknesses\n\n\n\n       A. Determined whether the MeF System and database still have audit log weaknesses,\n          including whether:\n           1. All required auditable events are captured.\n           2. An official is assigned to monitor and maintain system audit mechanisms.\n           3. Database audit reduction tools are used.\n           4. Users who only require limited access do not have full capabilities to access\n              database records, including taxpayer information.\n           5. An audit log review process is in place, and logs are being reviewed by\n              MeF System officials.\n       B. Determined what specific process improvements occurred to ensure all system\n          owners follow IRS policy designed to ensure all system security weaknesses are\n          entered and tracked to resolution.\n       C. Determined if MeF System security issues are being tracked in the POA&M.\n       D. Contacted the Security and Information Technology Services Security group to\n          determine if security issues have been identified in the MeF Program.\n       E. Reviewed the Joint Audit Management Enterprise System report associated with prior\n          corrective actions from prior TIGTA audits to determine the current status of those\n          actions and how the corrective actions are being documented.\nInternal Controls Methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: the Enterprise Life Cycle and related IRS\nguidelines and the processes followed in the development of information technology projects.\nWe evaluated these controls by reviewing the guidelines, conducting interviews and meetings\nwith management and staff, and reviewing project documents.\n\n\n\n\n                                                                                          Page 14\n\x0c               The Modernized e-File Release 6.2 Included Enhancements, but\n                         Improvements Are Needed for Tracking\n                      Performance Issues and Security Weaknesses\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKimberly R. Parmley, Acting Director\nRyan R. Perry, Lead Auditor\nCharlene L. Elliston, Senior Auditor\nBeverly K. Tamanaha, Senior Auditor\nSuzanne M. Westcott, Senior Auditor\nLouis V. Zullo, Senior Auditor\nMonique S. Queen, Information Technology Specialist\n\n\n\n\n                                                                                     Page 15\n\x0c              The Modernized e-File Release 6.2 Included Enhancements, but\n                        Improvements Are Needed for Tracking\n                     Performance Issues and Security Weaknesses\n\n\n\n                                                                       Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner - Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Chief Information Officer for Strategy/Modernization OS:CTO\nDirector, Privacy, Information Protection and Data Security OS:P\nAssociate Chief Information Officer, Enterprise Operations OS:CIO:EO\nDeputy Associate Chief Information Officer, Applications Development OS:CTO:AD\nDirector, Program Management OS:CTO:AD:PM\nDirector, Submission Processing OS:CTO:AD:SP\nChief, Program Evaluation and Improvement, Wage and Investment Division SE:W:S:PRA:PEI\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief, Program Evaluation and Improvement, Wage and Investment Division\n       SE:W:S:PRA:PEI\n       Associate Chief Information Officer, Applications Development OS:CTO:AD\n       Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                               Page 16\n\x0c                The Modernized e-File Release 6.2 Included Enhancements, but\n                          Improvements Are Needed for Tracking\n                       Performance Issues and Security Weaknesses\n\n\n\n                                                                                 Appendix IV\n\n                    Enterprise Life Cycle Overview\n\nThe Enterprise Life Cycle is the IRS\xe2\x80\x99s standard approach to business change and information\nsystems initiatives. It is a collection of program and project management best practices designed\nto manage business change in a successful and repeatable manner. The Enterprise Life Cycle\naddresses large and small projects developed internally and by contractors.\nThe Enterprise Life Cycle includes such requirements as:\n   \xe2\x80\xa2   Development of and conformance to an enterprise architecture.\n   \xe2\x80\xa2   Improving business processes prior to automation.\n   \xe2\x80\xa2   Use of prototyping and commercial software, where possible.\n   \xe2\x80\xa2   Obtaining early benefit by implementing solutions in multiple releases.\n   \xe2\x80\xa2   Financial justification, budgeting, and reporting of project status.\nIn addition, the Enterprise Life Cycle improves the IRS\xe2\x80\x99s ability to manage changes to the\nenterprise; estimate the cost of changes; and engineer, develop, and maintain systems effectively.\nFigure 1 provides an overview of the phases and milestones within the Enterprise Life Cycle. A\nphase is a broad segment of work encompassing activities of similar scope, nature, and detail and\nproviding a natural breakpoint in the life cycle. Each phase begins with a kickoff meeting and\nends with an executive management decision point (milestone), at which IRS executives make\n\xe2\x80\x9cgo/no-go\xe2\x80\x9d decisions for continuation of a project. Project funding decisions are often associated\nwith milestones.\n\n\n\n\n                                                                                          Page 17\n\x0c                   The Modernized e-File Release 6.2 Included Enhancements, but\n                             Improvements Are Needed for Tracking\n                          Performance Issues and Security Weaknesses\n\n\n\n                   Figure 1: Enterprise Life Cycle Phases and Milestones\n\n              Phase                             General Nature of Work                     Milestone\n Vision and Strategy/               High-level direction setting. This is the only\n Enterprise Architecture            phase for enterprise planning projects.                    0\n Phase\n Project Initiation Phase           Startup of development projects.                           1\n Domain Architecture Phase          Specification of the operating concept,\n                                                                                               2\n                                    requirements, and structure of the solution.\n Preliminary Design Phase           Preliminary design of all solution components.             3\n Detailed Design Phase              Detailed design of solution components.                   4A\n System Development Phase           Coding, integration, testing, and certification of\n                                                                                              4B\n                                    solutions.\n System Deployment Phase            Expanding availability of the solution to all target\n                                    users. This is usually the last phase for                  5\n                                    development projects.\n Operations and                     Ongoing management of operational systems.              System\n Maintenance Phase                                                                         Retirement\nSource: The Enterprise Life Cycle Guide.\n\n\n\n\n                                                                                               Page 18\n\x0c                     The Modernized e-File Release 6.2 Included Enhancements, but\n                               Improvements Are Needed for Tracking\n                            Performance Issues and Security Weaknesses\n\n\n\n                                                                                                   Appendix V\n\n                 Modernized e-File System\n    Unresolved Security Weaknesses Not Being Tracked\n           in the Plan of Action and Milestones\n\nThe following table presents unresolved security weaknesses identified by the IRS Cybersecurity\norganization affecting the MeF System. Based on our review of these security weaknesses and\ninformation provided by the IRS, the weaknesses remain unresolved and are not being tracked in\nthe POA&Ms as required. The table includes the security weaknesses and when they were\nidentified.\n\n                                                                  MeF Release\n                                               MeF Release 6.1,   6.1, Security                    MeF Release 6.2,\n                                                Security Risk          Risk        TIGTA Report     Security Risk\n                                                 Assessment        Assessment       2010-20-041,     Assessment\n                                                Report, dated     Report, dated        dated        Report, dated\n              Security Weakness                October 16, 2009   April 15, 2010    May 26, 2010   November 1, 2010\n\n    1    After three unsuccessful                    X                 X                X                 X\n         attempts, the MeF System                                                                   Risk-Based\n         automatically locks out the                                                                 Decision\n         offending user accounts for\n         only 15 minutes. Therefore,\n         it did not enforce automatic\n         account locks on user\n         accounts for a minimum of\n         24 hours in accordance with\n         IRS policies.\n    2    MeF Release 6.1 will utilize                X                 X                X\n         Business Objects1 for\n         statistical reporting. Ad hoc\n         reports generated are not\n         marked \xe2\x80\x9cSensitive But\n         Unclassified\xe2\x80\x9d and are not\n         adequately protected.\n\n\n1\n    See Appendix VI for a glossary of terms.\n                                                                                                          Page 19\n\x0c                   The Modernized e-File Release 6.2 Included Enhancements, but\n                             Improvements Are Needed for Tracking\n                          Performance Issues and Security Weaknesses\n\n\n\n                                                             MeF Release\n                                          MeF Release 6.1,   6.1, Security                     MeF Release 6.2,\n                                           Security Risk          Risk        TIGTA Report      Security Risk\n                                            Assessment        Assessment       2010-20-041,      Assessment\n                                           Report, dated     Report, dated        dated         Report, dated\n            Security Weakness             October 16, 2009   April 15, 2010    May 26, 2010    November 1, 2010\n\n  3    MeF Security Audit and                    X                 X                X\n       Analysis System logs are\n       not populated with two\n       required fields. The two\n       fields that were missing\n       were the Error Code and\n       Return Message.\n  4    The system is not                                           X\n       configured to automatically\n       alert personnel in the event\n       of audit log failure.\n  5    The processes for                                                            X                 X\n       establishing and confirming                                                               Risk-Based\n       user identification on the                                                                 Decision\n       MeF System did not meet\n       Federal Government\n       standards for accrediting\n       cryptographic modules.\n  6    Virus checking is disabled                                                                     X\n       on state-specific responses                                                               Risk-Based\n       in the Extensible Markup                                                                   Decision\n       Language Gateways for the\n       MeF System.\n  7    Application-to-application                                                                     X\n       sessions are not terminated\n       after 15 minutes of\n       inactivity.\nSource: MeF Release 6.1, Security Risk Assessment Report, dated October 16, 2009; MeF Release 6.1, Security\nAssessment Report, dated April 15, 2010; prior TIGTA report, Modernized e-File Will Enhance Processing of\nElectronically Filed Individual Tax Returns, but System Development and Security Need Improvement (Reference\nNumber 2010-20-041, dated May 26, 2010); and MeF Release 6.2, Security Risk Assessment Report, dated\nNovember 1, 2010.\n\n\n\n                                                                                                       Page 20\n\x0c                The Modernized e-File Release 6.2 Included Enhancements, but\n                          Improvements Are Needed for Tracking\n                       Performance Issues and Security Weaknesses\n\n\n\n                                                                              Appendix VI\n\n                               Glossary of Terms\n\n            Term                                         Definition\nBusiness Objects               Objects in an object-oriented computer program that represent\n                               the entities in the business domain that the program is\n                               designed to support. For example, an order entry program\n                               might have business objects to represent each order, line\n                               items, and invoices.\nCapability Maturity Model      A model or collection of \xe2\x80\x9cbest practices\xe2\x80\x9d that organizations\nIntegration\xc2\xae                   follow to dramatically improve the effectiveness, efficiency,\n                               and quality of their product and service development work.\nCode Optimization              The process of modifying a software system to make some\n                               aspect of it work more efficiently or use fewer resources.\nConfiguration Management       A practice to establish proper control over approved project\n                               documentation, hardware, and software and assuring changes\n                               are authorized, controlled, and tracked.\nEnterprise Life Cycle          A structured business systems development method that\n                               requires the preparation of specific work products during\n                               different phases of the development process.\nExecutive Steering Committee   A committee that oversees investments, including validating\n                               major investment business requirements and ensuring that\n                               enabling technologies are defined, developed, and\n                               implemented.\nExtensible Markup Language     The universal format for structured documents and data on the\n                               Web.\nFiling Season                  The period from January through mid-April when most\n                               individual income tax returns are filed.\n\n\n\n\n                                                                                       Page 21\n\x0c                The Modernized e-File Release 6.2 Included Enhancements, but\n                          Improvements Are Needed for Tracking\n                       Performance Issues and Security Weaknesses\n\n\n\n             Term                                           Definition\nGeneral Support System            OMB Circular A-130 defines a general support system as an\n                                  \xe2\x80\x9cinterconnected set of information resources under the same\n                                  direct management control that shares common functionality.\n                                  It normally includes hardware, software, information, data,\n                                  applications, communications, and people.\xe2\x80\x9d\nGovernance                        An IRS-designed enterprise governance model that assigns all\n                                  information technology projects to an appropriate executive\n                                  oversight body.\nInformation Technology Asset      This system delivers an inventory system that enables\nManagement System                 tracking, reporting, and management of information\n                                  technology assets.\nIssue                             A situation or condition that either 1) currently has negative\n                                  consequences for an information technology program/project\n                                  or organization or 2) has 100 percent probability of having\n                                  negative consequences for the program/project or\n                                  organization.\nItem Tracking Reporting and       An information system used to track and report on issues,\nControl System                    risks, and action items in the modernization effort.\nMeF Backend                       Represents the MeF System application servers and the\n                                  application software hosted on the application servers that\n                                  perform submission validation and processing.\nMeF Frontend                      Represents the Extensible Markup Language gateways and\n                                  Simple Object Access Protocol Web Application Server\n                                  architecture that performs entry and authentication services in\n                                  order to get to the MeF Backend.\nMilestone                         Milestones provide for \xe2\x80\x9cgo/no-go\xe2\x80\x9d decision points in a project\n                                  and are sometimes associated with funding approval to\n                                  proceed.\nNational Institute of Standards   An agency under the Department of Commerce responsible\nand Technology                    for developing standards and guidelines, including minimum\n                                  requirements, for providing adequate information security for\n                                  all Federal Government agency operations and assets.\n\n\n\n\n                                                                                          Page 22\n\x0c                The Modernized e-File Release 6.2 Included Enhancements, but\n                          Improvements Are Needed for Tracking\n                       Performance Issues and Security Weaknesses\n\n\n\n              Term                                         Definition\nOracle 11g                      A relational database management system, with version 11g\n                                being first introduced in Calendar Year 2007. Oracle 11g\n                                enables clusters of low-cost, industry standard servers to be\n                                treated as a single unit and features built-in testing for\n                                changes, the capability of viewing tables back in time,\n                                compression capability for all types of data, and enhanced\n                                disaster recovery functions.\nPlan of Action and Milestones   A tool that Federal agencies must use to assist in identifying,\n                                assessing, prioritizing, and monitoring the progress of\n                                corrective efforts for security weaknesses found in programs\n                                and systems. A POA&M identifies tasks to correct\n                                weaknesses, resources required, and scheduled completion\n                                dates.\nPortal                          A point of entry to a network system that includes a search\n                                engine or a collection of links to other sites usually arranged\n                                by topic. It provides the infrastructure that allows users\n                                (including IRS employees and taxpayers) to have web-based\n                                access to IRS information.\nRelease                         A specific edition of software.\nRequirement                     A formalization of a need and the statement of a capability or\n                                condition that a system, subsystem, or system component must\n                                have or meet to satisfy a contract, standard, or specification.\nRisk                            A potential event that could have an unwanted impact on the\n                                cost, schedule, business, or technical performance of an\n                                information technology program/project or organization.\nRisk-Based Decision             A risk-based decision is considered when meeting the\n                                requirement is technically or operationally not possible or is\n                                not cost-effective. It is required for any situation in which the\n                                system will be operating outside of IRS information\n                                technology security policy or National Institute of Standards\n                                and Technology guidelines, whether related to a technical,\n                                operational, or management control.\nSecurity Audit and Analysis     This system implements a data warehousing solution to\nSystem                          provide online analytical processing of audit trail data.\n\n\n                                                                                            Page 23\n\x0c    The Modernized e-File Release 6.2 Included Enhancements, but\n              Improvements Are Needed for Tracking\n           Performance Issues and Security Weaknesses\n\n\n\n                                                    Appendix VII\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 24\n\x0cThe Modernized e-File Release 6.2 Included Enhancements, but\n          Improvements Are Needed for Tracking\n       Performance Issues and Security Weaknesses\n\n\n\n\n                                                       Page 25\n\x0cThe Modernized e-File Release 6.2 Included Enhancements, but\n          Improvements Are Needed for Tracking\n       Performance Issues and Security Weaknesses\n\n\n\n\n                                                       Page 26\n\x0c'